Method and apparatus for computer network security

ABSTRACT

Techniques are provided for computer network security. The techniques include obtaining operational data for at least a first networked application; obtaining enterprise data for at least a second networked application; correlating the operational data with the enterprise data to obtain correlated data; and using the correlated data to improve security of the computer network.

FIELD OF THE INVENTION

The present invention generally relates to information technology, and,more particularly, to a method and apparatus for computer networksecurity.

BACKGROUND OF THE INVENTION

In current enterprises and systems, each user has many user-names andpasswords. Single sign-on systems are currently developed and deployedwhich require the user to know only a single user-ID and password toaccess the enterprise systems. However, since several sites may requiresuch a password protection, it is cumbersome for the user to type thesame password at multiple sites.

The current state of the art for enabling users to access the networktypically requires the use of an access-point for the user laptop toconnect to the enterprise network. The access point could be thewireless access point if the user is accessing a local 802.1x network ofthe user, a virtual private network (VPN) gateway if the user is dialinginto the VPN server of an enterprise, the first router on the path of aphysical network connecting the user to the enterprise network etc.Typically, the access-point would have a mechanism to authenticate theuser device to the network, for example 802.1x access would require aWired Equivalent Privacy (WEP) password, or a Lightweight ExtensibleAuthentication Protocol (LEAP) user-ID and password. VPN gateway accesswould require a user-issued certificate or user-ID and passwordinformation, wired access may require Remote Authentication Dial-In UserService (RADIUS) authentication with a user-ID and password or othercredentials. The user-ID and password is the key to associating anidentity with the user. Currently, the credentials used in the wirelessaccess point authentication cannot be shared with other applicationsrunning in the enterprise.

Current solutions for asset notification usually do not sendnotification before disconnecting a user. Also, such solutions generallyhave out of date information, or use mechanisms that are not accessiblewhen the machine is disconnected.

It would thus be desirable to overcome the limitations in previousapproaches.

SUMMARY OF THE INVENTION

Principles of the present invention provide techniques for computernetwork security. An exemplary method (which can becomputer-implemented) for computer network security, according to oneaspect of the invention, can include steps of obtaining operational datafor at least one networked application; obtaining enterprise data for atleast one networked application; correlating the operational data withthe enterprise data to obtain correlated data; and using the correlateddata to improve security of the computer network.

One or more embodiments of the invention can be implemented in the formof a computer product including a computer usable medium with computerusable program code for performing the method steps indicated.Furthermore, one or more embodiments of the invention can be implementedin the form of an apparatus including a memory and at least oneprocessor that is coupled to the memory and operative to performexemplary method steps.

One or more embodiments of the invention may provide one or morebeneficial technical effects, such as, for example, providing anapproach which obviates the need for a user to remember an explicitpassword and user-ID, but still allows a user to access distributedapplications of a network that implements existing securityauthentication mechanisms. Also, one or more embodiments of theinvention may provide the beneficial effect of notifying owners ofassets in an enterprise which are disconnected from the enterprisenetwork due to security or other policy violations via non-networkmechanisms so that the owners are aware of the assets beingdisconnected.

These and other objects, features and advantages of the presentinvention will become apparent from the following detailed descriptionof illustrative embodiments thereof, which is to be read in connectionwith the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow diagram illustrating a method for improving security ina computer network, according to one embodiment of the invention;

FIG. 2 is a block diagram illustrating a method for improving securityin a computer network, according to one embodiment of the invention;

FIG. 3 is a block diagram illustrating a method for improving securityin a computer network, according to one embodiment of the invention; and

FIG. 4 is a system diagram of an exemplary computer system on which oneor more embodiments of the present invention can be implemented.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Computer networks typically contain several types of data; exemplaryembodiments of the invention deal with two types of data, namely,“operational data” and “enterprise data.” Operational data may bedefined as data that is generated during the normal course of operationof a computer network. Operational data may also be defined as data thatis generated by systems and applications during the normal course oftheir operation. Examples of operational data include logs generated bynetwork access devices, logs generated by network applications, fieldssuch as identity of remote connections maintained during the operationof network protocols, and the like. Enterprise data may be defined asdata that is maintained for user-accounting, billing, record-keeping andother administrative aspects of an enterprise. Enterprise data may alsobe defined as information that is available within an enterprise and/oruser which provides records about aspects of a user which areindependent of the operation and/or normal usage of the system.Enterprise data includes, for example, information such as the employeedirectory of an organization, a database of computers owned by anemployee, a record of customers and their postal addresses, and thelike. In existing computer security applications, operational data andenterprise data are treated as independent entities. In one or moreembodiments of the invention, techniques are provided for correlatingthe information available in operational data and that of enterprisedata to build new security mechanisms. Security mechanisms that leverageboth enterprise and operational data may advantageously enable manysecurity methods which are hard to achieve using existing systems.

FIG. 1 shows a flow diagram illustrating a method for improving securityin a computer network, according to one embodiment of the invention.Step 102 includes obtaining operational data for at least a firstnetworked application. Step 104 includes obtaining enterprise data forat least a second networked application. The first and second networkedapplications can be the same or different. Step 110 includes correlatingthe operational data with the enterprise data to obtain correlated data.Step 112 includes using the correlated data to improve security of thecomputer network. Optionally, the method illustrated in FIG. 1 can alsoinclude step 106, converting operational data into an operational datacanonical form, and step 108, converting enterprise data into anenterprise data canonical form.

In one embodiment of the invention, the method for improving security ina computer network includes correlating operational data (for examplelogs from networked systems and applications), and enterprise data (forexample enterprise directory, user account records, etc.) within anenterprise to maintain a continuous mapping from network identifiers(for example certificates, Internet Protocol (IP) addresses, etc.) tothe owning individual (user name, corporation name). This mapping isthen leveraged to build one or more of the applications.

This embodiment of the invention employs a system that correlates twotypes of data: operational data and enterprise data. By way of exampleand not limitation, instances of operational data include logs that aregenerated by several systems, for example dynamic host configurationprotocol (DHCP) server logs, domain name system (DNS) server logs,web-server logs, as well as pieces of information that are required tobe known to any application in order for it to complete itscommunication, for example IP addresses, uniform resource locators(URLs) being accessed, and domain names of sites one is connecting to.Examples of enterprise data include organization charts and/orenterprise directories in corporations, billing records, and useraccount databases.

In one embodiment, the operational and enterprise data are correlatedwithin a single administrative domain by way of a system herein referredto as the Security Information Server (SIS). The Security InformationServer obtains the different types of operational data (for examplelogs, DNS records, etc.) from all the different appropriate deviceswithin the network. The Security Information Server converts each typeof operational data into an operational data canonical form. Canonicalform may be defined as a standard or common representation of data.Canonical form may also be defined as an application-independentrepresentation of data in the case, for example, where such data isitself in multiple application-specific formats.

Similarly, the Security Information Server obtains the different typesof enterprise data from the various applications within the network andconverts each type of enterprise data to an enterprise data canonicalform. The Security Information Server then correlates the enterprisedata with the operational data that is within the network. The SIS nowhas the ability to take a specific piece of operational data (forexample an IP address or URL), and is able to provide the enterpriselevel data (for example user name, or user address) about the entitywhich has that IP address or URL. These capabilities of the SIS, whichcan be provided by way of a web-service or other remote invocation, canbe used to identify in real-time the entity with which a machine has anongoing communication.

Several computer forensics applications can also be performed by manualobservation and correlation of the operational data and enterprise datawithin an organization. One or more embodiments of the invention maycreate several new security applications, and provide real-time crimeprevention as a result of having a system that provides operational andenterprise data in canonical format, and correlates the two types ofdata.

FIG. 2 shows a block diagram illustrating a method for improvingsecurity in a computer network, according to one embodiment of theinvention. The system 200 comprises components including a user device202 attempting to access the computer network, an access point 204, aSecurity Information Server 208, an enterprise directory 210, anenterprise single sign-on system 212, an application 214, and also thesystem may contain a DHCP server 206. The system 200 also comprisesmethod steps depicted by the enumerated arrows, as described below.

In step 220, the user device 202 inputs information, such as a user-IDand password, to the access point 204. In step 222, the access point 204provides the user device 202 with operational data such as a uniqueaddress via a DHCP server 206. Subsequently, in step 224, the accesspoint 204 provides credentials used by the user device 202 and theassigned unique address to the SIS 208. The SIS 208, in step 226, usesthe information contained in the credentials to access an enterprisedirectory 210 and map the information to a user within the enterprise.In step 228, the SIS 208 provides user information and the currentlyassigned DHCP address of the user to an enterprise single sign-on system212. The single sign-on system 212 uses the unique address as an aliasfor the user and provides single sign-on ability from the user device202 to an application 214 via step 230. Optionally, the illustratedmethod also includes step 232, eliminating the single sign-on ability ofthe user when the user disconnects from the computer network.

According to this embodiment, operational data can comprise a record ofa unique address allocation to a user device attempting to access thecomputer network, and enterprise data can comprise credentialsassociated with local authentication at the user device. Also, the stepof correlating the operational data with the enterprise data to obtaincorrelated data comprises associating the unique address and credentialswith the authentication information stored in a single-sign-on server.The step of using the correlated data to improve security of thecomputer network comprises providing a user of the user device withsingle sign-on ability responsive to an indication of an appropriatematch between the unique address and credentials and the authenticationinformation.

The unique address can include, by way of example and not limitation, anIP address, and the credentials can include, by way of example and notlimitation, biometric credentials.

The user-ID and password that is used by a network to authenticatemachines to allow access to the enterprise network via DHCP iscorrelated with the owning user and/or employee and/or customer, and isthen used to provide access to other password-protected systems withinthe enterprise network.

In another embodiment of the invention, the method illustrated in FIG. 2comprises the additional step of eliminating the single sign-on abilityof the user when the user disconnects from the computer network. Whenthe user disconnects from the enterprise system, the mapping of the IPaddress to the user is eliminated from the single sign-on mechanism.

As illustrated in FIG. 2, one embodiment of the invention in conjunctionwith biometric oriented approaches provides a solution that does notrequire a user to remember any passwords.

A user can access an application without typing a password even thoughthe application is implemented so as to secure access by way of auser-ID and password, or other credentials. In another embodiment, theuser connects to the network of the enterprise using a desktop and/orlaptop which has a biometric or other form of identification whichensure that only a properly authorized user can access and use thecomputer. Also, the same mechanism can be used for other devices suchas, by way of example and not limitation, desktop computers, personaldigital assistants (PDAs), cell-phones, and other devices which accessthe enterprise network using the Internet Protocol.

The SIS uses the information contained in the credentials to access anenterprise directory (i.e. enterprise data) and map it to a user withinthe enterprise. By way of example and not limitation, the SIS can usethe enterprise's intranet user-ID contained in the LEAP wirelessauthentication to determine the e-mail ID, serial number, and otheridentifying information of the user from a corporate on-line directory.

The single sign-on system or SIS may implement additional mechanisms toprovide added security to the above solution. By way of example and notlimitation, the single sign-on system may trace-back packets to clientsto ensure that no one is trying to hijack or use an IP addressedassigned to a different user. Note that the SIS can immediatelydetermine the enterprise identity of owners of the masquerading machines(which need access to the network through DHCP server or otherwise) andblock their network access, or take other action such as notifying theowners of these machines. Other network security mechanisms may also beenforced to improve the security of the computer network (for examplethe access-point will only allow packets from machines whose mediaaccess control (MAC) address and IP address have been issued by the DHCPserver).

FIG. 3 shows a block diagram illustrating a method for improvingsecurity in a computer network, according to one embodiment of theinvention. The system 300 contains a device associated with a violation302, a configuration checker 304, a notifier 306, a Security InformationServer 308, a DHCP server 310, a directory server 312, and a usercommunications module 314. The system 300 performs method steps depictedby the enumerated arrows, as described below.

In step 320, a device associated with a violation 302 attempts DHCPaccess to a local-area network (LAN). In step 322, the configurationchecker 304 checks the configuration of the device 302, obtainsindication of a violation within the computer network, and terminatesaccess to the network for the device 302. In step 324, the configurationchecker 304 informs the notifier 306 of the violation. Also, DHCP server310 sends operational data to the SIS 308 via step 330, and a directoryserver 312 sends enterprise data to the SIS 308 via step 332, at whichpoint the notifier 306 determines the identity of the user of the device302 from the SIS 308 in step 328. In step 334, the notifier 306, usingthe correlated data from the SIS 308, sends to the user communicationmodule 314 notification to the user 316 that access to the computernetwork has been terminated. The notification to the user may beprovided in a variety of ways. One possible mechanism for notifying theuser would be to use the notifier 306 to place a computer generatedtelephone call to the user. One approach that can be used to place acomputer generated telephone call is to use a computer communicationprotocol like the Session Initiation Protocol (SIP).

The violation associated with the device 302 can include, by way ofexample and not limitation, a virus, a security violation, and impropersoftware. The user communications module 314 can include, by way ofexample and not limitation, a module capable for sending and/orreceiving a telephone message, email, FAX, or pager message.

This embodiment of the invention provides a timely notification, anddoes not rely on network connectivity to be present to the user beingnotified. The owner and/or user of a security asset is identified fromthe correlated information and the owner's entry in an organizationdirectory and/or account information is used to identify and notify theperson, for example, via a telephone message, email, FAX, or pagermessage.

A security management server is capable of tracking the configurationand/or other properties of a device and terminating the network accessof a device which violates the specified guidelines. Such managementapplications and servers exist in the current state of the art, butusually disconnect devices silently without any notification to theuser.

The SIS server in the enterprise uses the authentication informationused for accessing the access link within the enterprise environments tolook up the enterprise directory, and to identify the user of a machineaccessing the network. The enterprise directory can be used to look upemail, telephone number, FAX number, pager number and other ways toreach the user. When an indication of a violation on a device isobtained, and the system decides to terminate the access of the deviceto the network, a voice-over-internet protocol (VoIP) server attached tothe security management server notifies the user by phone, pager or FAXthat the access of a specific machine to the network has beendisconnected.

The combination of operational and enterprise data can be used for manyother functions within the network to improve security. These include,by way of example and not limitation, actions such as an improvedtracking of devices that are infected by viruses, and automaticnotification to corresponding employees by an enterprise, as well asautomatic notification of virus infection in customer computers byinternet service providers (ISPs).

In another embodiment of the invention, the SIS provides improvedtracking of owners of sites that are at the other end of a connectionwith the network (Anti-Phishing toolbars). This allows for betteraccounting and user chargeback on the basis of metrics such as, forexample, which user is accessing a specific network in an enterprise.

According to this embodiment, operational data comprises an IP addressof a remote party of a connection with the computer network, and adomain name associated with the IP address, and enterprise datacomprises user registration information maintained by a provider ofnetwork connectivity to the remote party of the connection.

The step of correlating operational data with enterprise data to obtaincorrelated data comprises checking that the domain name displayed to alocal party of the connection matches the user registration information.Also, the step of using the correlated data to improve security of thecomputer network comprises displaying an alert to the local party of theconnection based on an outcome of the correlating step. The connectioncan also comprise an HTTP protocol Internet connection.

In one or more inventive embodiments, the technique of correlatingoperational data and enterprise data can be used to create manydifferent security solutions, and three such solutions have beendescribed above. This combination, in other contexts, can enable severalother security solutions.

A variety of techniques, utilizing dedicated hardware, general purposeprocessors, firmware, software, or a combination of the foregoing may beemployed to implement the present invention. One or more embodiments ofthe invention can be implemented in the form of a computer productincluding a computer usable medium with computer usable program code forperforming the method steps indicated. Furthermore, one or moreembodiments of the invention can be implemented in the form of anapparatus including a memory and at least one processor that is coupledto the memory and operative to perform exemplary method steps.

One implementation of the present invention makes substantial use ofsoftware running on a general purpose computer or workstation. Withreference to FIG. 4, such an implementation might employ, for example, aprocessor 402, a memory 404, and an input and/or output interfaceformed, for example, by a display 406 and a keyboard 408. The term“processor” as used herein is intended to include any processing device,such as, for example, one that includes a CPU (central processing unit)and/or other forms of processing circuitry. Further, the term“processor” may refer to more than one individual processor. The term“memory” is intended to include memory associated with a processor orCPU, such as, for example, RAM (random access memory), ROM (read onlymemory), a fixed memory device (for example, hard drive), a removablememory device (for example, diskette), a flash memory and the like. Inaddition, the phrase “input and/or output interface” as used herein, isintended to include, for example, one or more mechanisms for inputtingdata to the processing unit (for example, mouse), and one or moremechanisms for providing results associated with the processing unit(for example, printer). The processor 402, memory 404, and input and/oroutput interface such as display 406 and keyboard 408 can beinterconnected, for example, via bus 410 as part of a data processingunit 412. Suitable interconnections, for example via bus 410, can alsobe provided to a network interface 414, such as a network card, whichcan be provided to interface with a computer network, and to a mediainterface 416, such as a diskette or CD-ROM drive, which can be providedto interface with media 418.

Accordingly, computer software including instructions or code forperforming the methodologies of the invention, as described herein, maybe stored in one or more of the associated memory devices (for example,ROM, fixed or removable memory) and, when ready to be utilized, loadedin part or in whole (for example, into RAM) and executed by a CPU. Suchsoftware could include, but is not limited to, firmware, residentsoftware, microcode, and the like.

Furthermore, the invention can take the form of a computer programproduct accessible from a computer-usable or computer-readable medium(for example, media 418) providing program code for use by or inconnection with a computer or any instruction execution system. For thepurposes of this description, a computer usable or computer readablemedium can be any apparatus for use by or in connection with theinstruction execution system, apparatus, or device.

The medium can be an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system (or apparatus or device) or apropagation medium. Examples of a computer-readable medium include asemiconductor or solid-state memory (for example memory 404), magnetictape, a removable computer diskette (for example media 418), a randomaccess memory (RAM), a read-only memory (ROM), a rigid magnetic disk andan optical disk. Current examples of optical disks include compactdisk-read only memory (CD-ROM), compact disk-read and/or write (CD-R/W)and DVD.

A data processing system suitable for storing and/or executing programcode will include at least one processor 402 coupled directly orindirectly to memory elements 404 through a system bus 410. The memoryelements can include local memory employed during actual execution ofthe program code, bulk storage, and cache memories which providetemporary storage of at least some program code in order to reduce thenumber of times code must be retrieved from bulk storage duringexecution.

Input and/or output or I/O devices (including but not limited tokeyboards 408, displays 406, pointing devices, and the like) can becoupled to the system either directly (such as via bus 410) or throughintervening I/O controllers (omitted for clarity).

Network adapters such as network interface 414 may also be coupled tothe system to enable the data processing system to become coupled toother data processing systems or remote printers or storage devicesthrough intervening private or public networks. Modems, cable modem andEthernet cards are just a few of the currently available types ofnetwork adapters.

In any case, it should be understood that the components illustratedherein may be implemented in various forms of hardware, software, orcombinations thereof, for example, application specific integratedcircuit(s) (ASICS), functional circuitry, one or more appropriatelyprogrammed general purpose digital computers with associated memory, andthe like. Given the teachings of the invention provided herein, one ofordinary skill in the related art will be able to contemplate otherimplementations of the components of the invention.

Although illustrative embodiments of the present invention have beendescribed herein with reference to the accompanying drawings, it is tobe understood that the invention is not limited to those preciseembodiments, and that various other changes and modifications may bemade by one skilled in the art without departing from the scope orspirit of the invention.

1. A method for improving security in a computer network, comprising thesteps of: obtaining operational data for at least a first networkedapplication; obtaining enterprise data for at least a second networkedapplication; correlating said operational data with said enterprise datato obtain correlated data; and using said correlated data to improvesecurity of said computer network.
 2. The method according to claim 1,wherein said first and second networked applications are the sameapplication.
 3. The method according to claim 1, wherein said first andsecond networked applications are different applications.
 4. The methodaccording to claim 1, further comprising the additional step ofconverting said operational data into an operational data canonicalform.
 5. The method according to claim 1, further comprising theadditional step of converting said enterprise data into an enterprisedata canonical form.
 6. The method according to claim 1, wherein: saidoperational data comprises a record of a unique address allocation to auser device attempting to access said computer network; said enterprisedata comprises credentials associated with local authentication at saiduser device; the step of correlating said operational data with saidenterprise data to obtain correlated data comprises associating saidunique address and said credentials with authentication informationstored in a single-sign-on server; and the step of using said correlateddata to improve security of said computer network comprises providing auser of said user device with single sign-on ability responsive to anindication of an appropriate match between said unique address and saidcredentials and said authentication information.
 7. The method accordingto claim 6, wherein said unique address comprises an IP address.
 8. Themethod according to claim 6, wherein said credentials comprise biometriccredentials.
 9. The method according to claim 6, further comprising anadditional step of eliminating said single sign-on ability of said userwhen said user disconnects from said computer network.
 10. The methodaccording to claim 1, wherein said step of using the correlated data toimprove network security further comprises the steps of: obtainingindication of a violation within said computer network; terminatingaccess to said computer network for a device associated with saidviolation; and notifying a user of said device that access to saidcomputer network has been terminated, using said correlated data. 11.The method according to claim 10, wherein said violation comprises avirus.
 12. The method according to claim 10, wherein said violationcomprises a security violation.
 13. The method according to claim 10,wherein said violation comprises improper software.
 14. The methodaccording to claim 1, wherein: said operational data comprises: an IPaddress of a remote party of a connection with said computer network;and a domain name associated with said IP address; said enterprise datacomprises user registration information maintained by a provider ofnetwork connectivity to said remote party of said connection; the stepof correlating said operational data with said enterprise data to obtaincorrelated data comprises checking that said domain name displayed to alocal party of said connection matches said user registrationinformation; and the step of using said correlated data to improvesecurity of said computer network comprises displaying an alert to saidlocal party of said connection based on an outcome of said correlatingstep.
 15. The method according to claim 14 wherein said connectioncomprises an HTTP protocol Internet connection.
 16. An apparatus forimproving security in a computer network, comprising: a memory; and atleast one processor coupled to said memory and operative to: obtainoperational data for at least one networked application; obtainenterprise data for at least one networked application; correlate saidoperational data with said enterprise data to obtain correlated data;and use said correlated data to improve security of said computernetwork.
 17. The apparatus of claim 16, wherein: said operational datacomprises a record of a unique address allocation to a user deviceattempting to access said computer network; said enterprise datacomprises credentials associated with local authentication at said userdevice; and said at least one processor is further operative to:correlate said operational data with said enterprise data to obtaincorrelated data by associating said unique address and said credentialswith authentication information stored in a single-sign-on server; anduse said correlated data to improve security of the computer network byproviding a user of said user device with single sign-on abilityresponsive to an indication of an appropriate match between said uniqueaddress and said credentials and said authentication information. 18.The apparatus of claim 16, wherein: said operational data comprises anIP address of a remote party of a connection with said computer network,and a domain name associated with said IP address; said enterprise datacomprises user registration information maintained by a provider ofnetwork connectivity to a remote use of an Internet connection; and saidat least one processor is further operative to: correlate saidoperational data with said enterprise data to obtain correlated data bychecking that said domain name displayed to a local party of saidconnection matches said user registration information; and use saidcorrelated data to improve security of said computer network bydisplaying an alert to said local party of said connection based on anoutcome of said correlating step.
 19. A computer program productcomprising a computer useable medium having computer useable programcode for improving security in a computer network, said computer programproduct including: computer useable program code for obtainingoperational data for at least one networked application; computeruseable program code for obtaining enterprise data for at least onenetworked application; computer useable program code for correlatingsaid operational data with said enterprise data to obtain correlateddata; and computer useable program code for using said correlated datato improve security of said computer network.
 20. The computer programproduct of claim 19, wherein: said operational data comprises a recordof a unique address allocation to a user device attempting to accesssaid computer network; said enterprise data comprises credentialsassociated with local authentication at said user device; and saidcomputer program product further includes: computer useable program codefor correlating said operational data with said enterprise data toobtain correlated data by associating said unique address and saidcredentials with authentication information stored in a single-sign-onserver; and computer useable program code for using said correlated datato improve security of said computer network by providing a user of saiduser device with single sign-on ability responsive to an indication ofan appropriate match between said unique address and said credentialsand said authentication information.
 21. The computer program product ofclaim 19, wherein: said operational data comprises: an IP address of aremote party of a connection with said computer network; and a domainname associated with said IP address; said enterprise data comprisesuser registration information maintained by a provider of networkconnectivity to a remote use of an Internet connection; and saidcomputer program product further includes: computer useable program codefor correlating said operational data with said enterprise data toobtain correlated data by checking that said domain name displayed to alocal party of said connection matches said user registrationinformation; and computer useable program code for using said correlateddata to improve security of said computer network by displaying an alertto said local party of said connection based on an outcome of saidcorrelating step.
 22. The computer program product of claim 19, wherein:said operational data comprises: an IP address of a remote party of aconnection with said computer network; and a domain name associated withsaid IP address; said enterprise data comprises user registrationinformation maintained by a provider of network connectivity to saidremote party of said connection; and said computer program productfurther includes: computer useable program code for correlating saidoperational data with said enterprise data to obtain correlated data bychecking that said domain name displayed to a local party of saidconnection matches said user registration information; and computeruseable program code for using said correlated data to improve securityof said computer network by displaying an alert to said local party ofsaid connection based on an outcome of said correlating step.